SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX 650_Firewall policy issue

    Posted 10-28-2015 10:13

    Hi Friends,

     

    1.I am very new to Juniper enviornment , I have to create a policy to access internet from trust to untrust traffic for 

    2 Hosts . From trust zone we are not enabled internet for any machines apart from 192.168.55.11.

     

    the configuration as follows 

     

    set security zones security-zone trust address-book address Internal-DNS-Server2_192.168.55.11 192.168.55.11/32
    set security zones security-zone trust address-book address-set Internet-Access-Server address Internal-DNS-Server2_192.168.55.11

    set security policies from-zone trust to-zone untrust policy SOCO007XXXXXXX1 match source-address Internal-DNS-Server2_192.168.55.11
    set security policies from-zone trust to-zone untrust policy SOCO007XXXXXXX1 match destination-address any
    set security policies from-zone trust to-zone untrust policy SOCO007XXXXXXX1 match application junos-smtp
    set security policies from-zone trust to-zone untrust policy SOCO007XXXXXXX1 match application tcp_465
    set security policies from-zone trust to-zone untrust policy SOCO007XXXXXXX1 match application tcp_587
    set security policies from-zone trust to-zone untrust policy SOCO007XXXXXXX1 then permit application-services idp

     

    "SOCO007XXXXXXX1 " what this number refering to???

     

    (This was done previously)

     

    How I can add 2 more machines ??? As am not as much expert in configuration levels ,am expecting a step by step solution.

     

    2. How I can Update my idp subscription without affecting the production system(Primary and secondary device is there), which is going to expire soon.

     

    Kindly advice the change affect/override  existing configuration 

     

    Thanks & Regards in Advance.

     

     



  • 2.  RE: SRX 650_Firewall policy issue
    Best Answer

    Posted 10-28-2015 14:03

    "SOCO007XXXXXXX1 " what this number refering to???  <-- that is the policy name.  Didn't you name it?

     

    To add more hosts you can simply use another set statement like this:

     

    set security policies from-zone trust to-zone untrust policy SOCO007XXXXXXX1 match source-address Internal-DNS-Server3_192.168.55.12

     

    It will append the new host to the policy.  However, it must be in the address book first.  You can "preview" your changes buy using the command:

     

    show | compare

     

    You should see your policy listed with the new host.  If you want to add muliple hosts with the same command use the brackets like this:

     

    set security policies from-zone trust to-zone untrust policy SOCO007XXXXXXX1 match source-address [Internal-DNS-Server2_192.168.55.11 Internal-DNS-Server3_192.168.55.12]

     

    For the IDP issue, you will need to buy a new license from your vendor and apply it.  It will simply change the expiration date which you can check with:

     

    show system license



  • 3.  RE: SRX 650_Firewall policy issue

    Posted 10-28-2015 14:44

    Thank You very much !!!

     

    Kindly verify the following steps will resolve this issue???

    Proposed configuration ( I am very new to Juniper, So each step and Address book is confusing be little bit)

    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

    # top
    # edit zone security-zone trust
    # set address-book address Internal-DNS-Server2_192.168.55.12 192.168.55.12/32
    # set address-book address-set Internet-Access-Server address Internal-DNS-Server33_1192.168.55.12


    # top
    # edit security policies from-zone trust to-zone untrust
    # set policy NEWPOLICY_1 match source-address Inernal-DNS-Server33_192.168.55.12

    # set policy NEWPOLICY_1 match destination-address any
    # set policy NEWPOLICY_1 match application junos-smtp
    # set policy NEWPOLICY_1 match application tcp_465
    # set policy NEWPOLICY_1 match application tcp_587
    # set policy NEWPOLICY_1 then permit application-services idp


    # commit and-exit

    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 

     

    _END_PROPOSED CONFIGURATION

     

    I didnt touch the existing system so far. the configuration is already there,I am joined recently.


    Internet-Access-Server - have  EXISTING following entries present  ,I hope new configuration,said above wont change/override/affect any previous entries and existing system

     

     

    set security zones security-zone trust address-book address-set Internet-Access-Server address WebServer1_192.168.14.100
    set security zones security-zone trust address-book address-set Internet-Access-Server address WebServer2_192.168.71.100
    set security zones security-zone trust address-book address-set Internet-Access-Server address SFTP1_192.168.71.101
    set security zones security-zone trust address-book address-set Internet-Access-Server address SFTP2_192.168.81.101
    set security zones security-zone trust address-book address-set Internet-Access-Server address Internal-DNS-Server2_192.168.55.11

     

     

    Thanks & Regards